FORENSIC ANALYSIS
- Hideaki Ihara at the Port 139 blog looks at deleting values from the Windows Registry.
RegistryとFile format(3) - Digital Forensics Corp shared an article by Jason Fenech at Altaro showing a few methods for accessing data on a VMDK.
How to extract data from Virtual Machines - Scar de Courcier at Forensic Focus has posted an article on imaging locked Motorola devices. The article also provides step by step instructions on performing an extraction using the latest version of Oxygen Forensic Detective.
Imaging Locked Motorola Devices Via Bootloader Exploit - Magnet Forensics have released a white paper on Android Nougat.
New White Paper: Taking Bytes out of Android Nougat Forensic Analysis - Johan Berggren shows how the new update to Timesketch allows examiners to graphically correlate data points.
Thinking in Graphs: Exploring with Timesketch
THREAT INTELLIGENCE/HUNTING
- Joff Thyer at Black Hills Information Security explains a recent red team engagement where Cobalt Strike and Symantec endpoint protection was used.
A Morning with Cobalt Strike & Symantec - Britton Manahan looks at “two current methods for detecting potentially injected memory sections inside a process’s virtual address space”
Process Injection Detection: Malfind and Get-InjectedThread.ps1 - Tom at c-APT-ure provides an update on what he’s been up to; sharing a presentation and some resources on threat hunting with sysmon.
Is this blog still alive? - ClearSky have published a report on Charming Kitten, “an Iranian cyberespionage group operating since approximately 2014”
Charming Kitten: Iranian Cyber Espionage Against Human Rights Activists, Academic Researchers and Media Outlets – And the HBO Hacker Connection - Shawn Henry at Crowdstrike has a post releasing their “Cyber Intrusion Services Casebook” which “provides valuable insights into ever-evolving attacker tactics, techniques and procedures (TTPs)”.
Cyber Intrusion Service Casebook Offers Real-World Investigations into Today’s Most Damaging Cyberattacks - The guys at Cyber Forensicator shared a few articles this week
- They shared CERTitude, which “is a Python-based tool which aims at assessing the compromised perimeter during incident response assignments.”
CERTitude – The seeker of IOC - They shared Jack Wesley Riley’s “white paper with an overview of tools and techniques used by CARBANAK”
Anatomy of an Attack: CARBANAK - They also shared that Pete Finnigan’s book titled “Oracle Incident Response and Forensics: Preparing for and Responding to Data Breaches” was released last week
Oracle Incident Response and Forensics: Preparing for and Responding to Data Breaches
- They shared CERTitude, which “is a Python-based tool which aims at assessing the compromised perimeter during incident response assignments.”
- Jack Crook at ‘DFIR and Threat Hunting’ walks through a scenario where an attacker has mounted a share and executed a script on the endpoint. He then provides a series of events that should be considered, knowing how to determine what is normal, and then building detections.
A Few of My Favorite Things – Continued - The guys at Digital Forensics Corp shared a couple of articles on threat hunting this week
- They shared an article by ReversingLabs which shares some information about a Cobalt payload exploiting CVE-2017-11882, as well as a YARA rule to assist detection.
How to detect Cobalt - They shared an article by Abhishek Singh at Acalvio Threat Research Labs titled “Spreading Techniques and its Detection by Deception”
Ransomware Forensics - They also shared an article from ‘Security Online’ on fileless attacks
Five things about fileless attack
- They shared an article by ReversingLabs which shares some information about a Cobalt payload exploiting CVE-2017-11882, as well as a YARA rule to assist detection.
- Wouter Jansen at Fox-IT shares a method of detecting the use of the ‘eventlogedit’ NSA tool. They have also released a tool “that finds and exports any removed event log records from an event log file.”
Detection and recovery of NSA’s covered up tracks - Adam at Hexacorn has a couple of posts this week
- The first advises some interesting behaviour on Win10 systems; “When Windows Explorer is killed on Win 10, and then manually relaunched with an elevated account, it is actually re-launched by svchost.exe 5 seconds later via a temporary task”. Something similar was also identified by @leoloobeek
svchost.exe -> explorer.exe on win10 - The second shares a “probably less-known CLSID branch that could be used to execute malware anytime you press WIN+E to open a new Windows Explorer window”
Beyond good ol’ Run key, Part 68
- The first advises some interesting behaviour on Win10 systems; “When Windows Explorer is killed on Win 10, and then manually relaunched with an elevated account, it is actually re-launched by svchost.exe 5 seconds later via a temporary task”. Something similar was also identified by @leoloobeek
- Jacob Goldberg at ‘Infosec Topics’ provides a “method for monitoring Windows Event Log records via Elasticsearch”.
Monitoring for Windows Event Logs and the Untold Story of proper ELK Integration - Claudio at Iran Threats compares the activity of the Flying and Rocket Kitten APT groups, which may or may not be one and the same.
Flying Kitten To Rocket Kitten, A Case Of Ambiguity And Shared Code - Shusei Tomonaga at JPCERT/CC announces an update to their “Detecting Lateral Movement through Tracking Event Logs” report and “Tool Analysis Result Sheet”.
Research Report Released: Detecting Lateral Movement through Tracking Event Logs (Version 2) - Stefan Sellmer, Shay Kels, and Karthik Selvaraj at Microsoft’s Windows Security blog “explore how Windows Defender ATP, in particular, makes use of AMSI inspection data to surface complex and evasive script-based attacks”. They focus on attacks performed by the “KRYPTON activity group and explore how commodity malware like Kovter abuses PowerShell to leave little to no trace of malicious activity on disk”
Windows Defender ATP machine learning and AMSI: Unearthing script-based attacks that ‘live off the land’ - Casey Smith and Michael Haag at Red Canary walk through testing security controls and providing detections.
Atomic Red Team Tests: Catching the Dragon by the Tail - The SANS Infosec Reading Room has shared Barbara Filkins’ update to the 2016 guide “to evaluating next-generation antivirus”.
Updated: Out with the Old, In with the New: Replacing Traditional Antivirus - There were a couple of posts on the SANS Internet Storm Center Handler Diaries
- Xavier Mertens suggests compiling data that attackers are sharing on sites like Pastebin “to perform hunting in your own website’s logs” via Splunk.
Using Bad Material for the Good, (Sat, Dec 2nd) - Tom Webb discusses the Hive project as an IR case platform.
IR using the Hive Project., (Tue, Dec 5th)
- Xavier Mertens suggests compiling data that attackers are sharing on sites like Pastebin “to perform hunting in your own website’s logs” via Splunk.
- Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ explains reflective DLL injection and shares a detection method presented by Andrew King at DEFCON 20.
What is Reflective DLL Injection and how can be detected? - Chris Sanders at Sqrrl continues to “focus on hunting for suspicious files types by examining the presence and execution of files on the host.”
Hunting for Suspicious File Types on the Host - Anastasios Pingios at ‘xorl %eax, %eax’ shared a YARA rule for the CIA’s OutlawCountry tool.
Understanding CIA’s OutlawCountry
UPCOMING WEBINARS/CONFERENCES
- Matt McFadden at OpenText will be hosting a webinar regarding how examiners can utilise Encase to assist in analysing digital devices in child exploitation cases. The webinar will take place on Tuesday, December 12, 2017, at 11am PDT.
Webinar: Fighting Child Exploitation with Digital Forensics - John LaCour at PhishLabs will be hosting a webinar on phishing and threat monitoring. The webinar will take place on Thursday, December 14, 2017, at 11:00 am – 12:00 pm EST.
Phishing Threat Monitoring & Forensics Webinar - “The 11th Annual Digital Forensics and Incident Response Summit Call for Presentations is now open through 5 pm EST on Monday, January 15, 2018.” Hopefully, I can get my act together and put my presentation idea so I get to attend again next year.
SANS DFIR Summit 2018 CFP
PRESENTATIONS/PODCASTS
- Adrian Crenshaw has uploaded the presentations from BSides Philadelphia 2017
- Amped has released a tutorial on the new Assistant feature of Amped Five.
The Amped FIVE Assistant Video Tutorial - Kevin Delong at Avairy Solutions posted a video where he was interviewed by Kiley Wright, “a digital forensics student at Southern New Hampshire University”. One of the questions was how do you keep up with the rapidly changing technology; I have a suggestion for that :).
Questions from a Digital Forensics Student - A couple of presentations from Black Hat USA 2017 were uploaded this week
- Cqure Academy published the slides from Paula’s presentation from Blackhat 2017 titled “DPAPI and DPAPI-NG: Decryption Toolkit”.
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit - Michael Busselen at CrowdStrike shares Cliff Stoll’s “keynote address at the recent CrowdStrike Fal.Con Unite 2017 cybersecurity conference”.
Renowned Author and Cybersecurity Pioneer Clifford Stoll Mesmerizes at Fal.Con [VIDEO] - Dave gave us a bunch of Forensic Lunches this week. They were all at a time that I was awake for (which is unusual), but I was only able to sit through one of them. I haven’t yet had a chance to watch through them (I will next week, sorry!), but Dave went through some live testing to see how Windows responded to a variety of different events. The show that I watched he tried to see which actions affected the last access date on FAT/exFAT file systems. This kind of testing has a really low barrier to entry, and is also really useful to share.
- Hasherezade uploaded a few videos this week
- Malpedia’s presentation from Botconf 2017 titled “Malpedia: A Collaborative Effort to Inventorize the Malware Landscape” has been uploaded.
Check out @malpedia’s Tweet - Karsten Hahn at Malware Analysis For Hedgehogs debugs a ROKRAT variant to obtain the payload.
Malware Analysis – ROKRAT Unpacking from Injected Shellcode - OALabs have uploaded a tutorial looking at “two different methods to identify strings, binary data, and Yara matches in IDA Pro.”
Using Yara Rules With IDA Pro – New Tool! - Mick Douglas was on Paul’s Security Weekly this week to explain how the ELK stack can be used to assist in identifying unauthorised hosts.
Network Telemetry with Mick Douglas, SANS Institute – Paul’s Security Weekly #538 - On this week’s Digital Forensic Survival Podcast, Michael discusses the different types of malware analyst.
DFSP # 094 – 31 Flavors of Malware Analyst - Richard Davis has uploaded a video regarding the recent updates to Plaso as well as how to create a timeline using the tool.
Introduction to Plaso Heimdall - Martijn Grooten at Virus Bulletin shared Paul Rascagneres and Warren Mercer’s presentation from VB2017 on how APT groups conduct reconnaissance on targets.
VB2017 paper: Modern reconnaissance phase on APT – protection layer
MALWARE
- The guys at Joe Security examine a malware sample that uses sleep evasions to evade automated malware analysis
Threading based Sleep Evasion - Bart Blaze at ‘Blaze’s security blog’ provides some IOCs of the BillGates Linux malware, and the StorageCrypt ransomware
- The Extreme Coders blog has a post on reversing a ransomware sample that was compiled with PyInstaller.
Reversing a PyInstaller based ransomware - The Cylance Threat Guidance Team provided their analysis of the Terdot.A/Zloader
Threat Spotlight: Terdot.A/Zloader Malicious Downloader - Floser Bacurio and Joie Salvio at Fortinet examine a “new phishing campaign that targets bitcoin investors by offering Gunbot, a relatively new bitcoin trading bot application. However, instead of being a tool designed to ensure more profit, it serves an Orcus RAT malware that results in the loss of investments and more.”
A Peculiar Case of Orcus RAT Targeting Bitcoin Investors - There were a few posts on the Malwarebytes Labs blog this week
- Jérôme Segura provides a “quick historical review of the Seamless gate and describe this latest iteration in a new format”.
Seamless campaign serves RIG EK via Punycode - Thomas Reed analyses a HiddenLotus OSX malware sample.
Interesting disguise employed by new Mac malware HiddenLotus - The team also posted the analysis of a Blind malware sample covering the “structure, behavior, and distribution method.”
Napoleon: a new version of Blind ransomware
- Jérôme Segura provides a “quick historical review of the Seamless gate and describe this latest iteration in a new format”.
- Christiaan Beek at McAfee Labs examines a maldoc distributing a new variant of Emotet.
Emotet Downloader Trojan Returns in Force - There were a couple of posts on the Palo Alto Networks blog this week
- Brad Duncan provided some information regarding a Boleto Mestre malspam infection.
Master Channel: The Boleto Mestre Campaign Targets Brazil - Yanhui Jia, Taojie Wang, and Zhibin Zhang analyse a malicious sample exploiting CVE-2017-11882.
Analysis of CVE-2017-11882 Exploit in the Wild
- Brad Duncan provided some information regarding a Boleto Mestre malspam infection.
- Renato Marinho at SANS Internet Storm Centre Handler Diaries examines “a phishing campaign spreading a banking malware [that uses] an old DOS Batch script” to distribute.
Phishing campaign uses old “.bat” script to spread banking malware – and it is flying under the radar, (Sat, Dec 2nd) - Didier Stevens examines an RTF document and determined that it did not contain any malicious code (but may relate to a malicious actor)
Sometimes it’s a dud, (Sat, Dec 9th) - Holger Unterbrink and Christopher Marczewski at Cisco’s Talos show “how to deobfuscate a custom .NET ConfuserEx protected malware”.
Recam Redux – DeConfusing ConfuserEx - Bruno Braga at ‘Security Over Simplicity’ walks through analysing a malicious RTF document
(Not) All She Wrote (Part 3): Rigged RTF Documents - Bill Marczak, Geoffrey Alexander, Sarah McKune, John Scott-Railton, and Ron Deibert at ‘The Citizen Lab’ have released a report describing “a campaign of targeted malware attacks apparently carried out by Ethiopia from 2016 until the present”
Champing at the Cyberbit: Ethiopian Dissidents Targeted with New Commercial Spyware - There were a couple of posts on the FireEye blog this week
- Nick Harbour provides some guidance on removing junk code from disassembled binaries.
Recognizing and Avoiding Disassembled Junk - Manish Sardiwal, Yogesh Londhe, Nalani Fraser, Nicholos Richard, Jaqueline O’Leary, and Vincent Cannon analyse a recent attack by APT34.
New Targeted Attack in the Middle East by APT34, a Suspected Iranian
Threat Group, Using CVE-2017-11882 Exploit
- Nick Harbour provides some guidance on removing junk code from disassembled binaries.
- Trend Micro provides some information about the Downad banking trojan.
CONFICKER/ DOWNAD 9 Years After: Examining its Impact on Legacy Systems - VMRay released their monthly malware analysis recap report.
VMRay Malware Analysis Report Recap – November ’17 - Filip Kafka at We Live Security analyse a sample of the FinFisher spyware.
StrongPity2 spyware replaces FinFisher in MitM campaign – ISP involved? - Anastasios Pingios at ‘xorl %eax, %eax’ has a couple of posts on malware analysis this week
- The first describes “how fileless malware take advantage of PEB (Process Environment Block) enumeration to work”
Fileless malware and PEB enumeration - The second explains how malwriters utilise the CheckRemoteDebuggerPresent() function to slow down malware analysis.
The CheckRemoteDebuggerPresent() anti-debugging technique
- The first describes “how fileless malware take advantage of PEB (Process Environment Block) enumeration to work”
MISCELLANEOUS
- Xavier Mertens provided an overview of the recent Botconf 2017 conference.
- Eric Huber has started up his “A Fistful of Dongles” blog again; Eric also used to be a regular appearance on the Forensic 4Cast podcast. His first post was his take on Blockchains and cryptocurrencies.
Back In The Saddle Again - Brian Carrier has a post about the recent update to Autopsy that introduced the correlation engine module and backend database. The post explains how to setup the module, populate the database, and identify connections between cases.
Correlate Cases and Get Intelligence - Brett Shavers shares “a short video on how you can use XWF to collect data in a given eDiscovery matter”. He also has uploaded a new case study and promotional offer.
X-Ways Forensics & eDiscovery - Chris Sanders shared week 4’s notes on the Cuckoo’s Egg which covers chapters 15-23.
Cuckoo’s Egg – Week 4 Notes - Doctor Cotton has started a new blog aiming to document his journey into DFIR. His first post describes the hardware that he’s purchased for his testing environment.
Building a Lab Pt.1 Hardware - John Ahearne at DriveSavers has a post on the analysis step in the digital forensics process. This covers a variety of topics including scoping, choosing tools, and the importance of accuracy and repeatability.
Digital Forensic Process—Analysis - Robert Merriott at Forensic Notes released three articles this week
- The first is an interview with Stuart Rudner, an Employment Lawyer and Mediator, regarding contemporaneous notes.
Contemporaneous Notes - The second presents the recommendations from various organisations about the need to take contemporaneous notes during a computer examination.
Digital Forensics Documentation – Contemporaneous Notes Required - The last is an explanation of ISO 17025 which became “a mandatory standard for Digital Forensics laboratories in the United Kingdom (UK) as of October 2017”. There was also a brief discussion about the topic on Twitter. I’m interested to see how things work in the UK; if accreditation means each lab has to conduct its own evaluation of every update to every tool that they use then they either won’t get any work done, or they will use old versions of tools. The article mentions that rates may have to go up, which may restrict the barrier to entry for small labs, and also reduce operating budgets of government labs (which probably won’t win the argument to increase their budget to cover the additional spending). I like the idea of setting a standard to work towards, and I’m also slightly worried that the standard may not get updated as quickly as technology changes. There was a recent discussion on Forensic Focus where a member stated that they were unable to make any changes to evidence without prior approval by the court. This may have been fine 20 years ago, but if someone receives an iOS device a) there’s no way they can prevent it from making changes on its own, b) examining the device makes changes, and c) getting approval per device per case will most likely take longer than the window that you’ve got to unlock the device with a pairing record. Brett’s correct that it is the wild wild west at the moment, and it seems that the court’s decision about who and who isn’t an expert is key; it looks like an organisation, or all of them, will need to come up with a realistic standard for all labs to produce good quality work.
ISO 17025 – Right for Digital Forensics?
- The first is an interview with Stuart Rudner, an Employment Lawyer and Mediator, regarding contemporaneous notes.
- Bradley Schatz at Inside Out advises that both Forensic Explorer and X-Ways Forensics 19.5 now have AFF4 support. Something on my to-do list is to create some E01 and AFF4 images and compare the speeds. Hopefully, I can get my act together and do it.
Native AFF4 read support for X-Ways & Forensic Explorer - Kevin DeLong started a brief discussion about “biggest challenge in investigations [in] the near future”
Check out @kevindelong’s Tweet - MSAB announced a partnership with Kovar & Associates “to expand the drone forensics capabilities offered by MSAB.”
MSAB and Kovar & Associates Agree to Partner on Drone Forensics Work - Jasper at Packet Foo provided a recap of Sharkfest 2017 EU which was recently held in Portugal.
Sharkfest 2017 EU Recap - Richard Bejtlich at Tao Security provides some guidance on things people can learn to augment their network security monitoring education.
On “Advanced” Network Security Monitoring - Teel Technologies have launched a case management system called xBit.
xBit Digital Case Management - Howard Oakley at ‘The Eclectic Light Company’ takes a look at Extended Attributes on High Sierra and lists out the ones that he’s found interesting.
Extended attributes in High Sierra 10.13.2 - A couple of the project teams run by the students at The Leahy Center for Digital Investigation provided updates on their projects
- Charlie at ‘The Supreme Perception’ has compiled a list of cyber security and DFIR interview questions. The DFIR questions lend themselves more towards the IR side of the fence.
Cyber Security and DFIR Interview Questions
SOFTWARE UPDATES
- Amped DVRConv update 10098 was released. The update allows users to split audio and video streams, as well as providing “more operational modes for selecting the files to process”.
Amped DVRConv Update 10098: more formats, more speed, more options - Belkasoft Evidence Centre v8.6 has been released adding a number of new features including support for additional cloud services, and “new and updated computer and mobile artifacts”.
What’s new in BEC v.8.6 - UFED Physical Analyzer, UFED Logical Analyzer and Reader 6.4.5 was released. “This release provides new capabilities, support for new applications as well as an update for 229 application versions, and resolves of reported and known issues.”
UFED Physical Analyzer, UFED Logical Analyzer and Reader Version 6.4.5 - Digital Detective’s Blade v1.14 was released adding new features including a number of new recovery profiles, $recycle bin and OLE2 file recovery, and hibernation file conversion.
Blade® v1.14 Released - ExifTool 10.68 (development) was released, adding new tags and bug fixes.
ExifTool 10.68 - GetData updated Forensic Explorer to v4.1.0.6782 although the notes don’t indicate what’s changed since the version released last week.
5 Dec 2017 – Version 4 – Major Release – v4.1.0.6782 - Analyze Di Pro 17.2 was released.
Release of Analyze 17.2 – On top of your game - Nicole Ibrahim has updated the FSEventsParser Python script to version 3.1, adding support for “macOS High Sierra FSEvents” and other improvements.
FSEventsParser 3.1 Released - Katana Forensics has released Lantern 4.7.1 to fix an issue with iOS acquisition on Mac OS High Sierra.
- “A new version of MISP 2.4.83 has been released including attribute level tag filtering on synchronisation, full audit logging via ZMQ or Syslog, user email domain restriction at the org level, many more improvements and bug fixes.”
MISP 2.4.83 released (aka attributes-level tag filtering and more) - MobilEdit released an update for App Analyzer (v2017-012-05-01) improving support for a few iOS and Android apps.
App Analyzer update version 2017-12-05-01 - Maxim Suhanov has updated his registry parsing utility, YARP, to version 1.0.6
1.0.6 - Erik Hjelmvik at Netresec announced the release of TrimPCAP. This tool allows examiners to trim captured network data to contain only “the first 100kB of each TCP and UDP session”.
Don’t Delete PCAP Files – Trim Them! - Atola Insight Forensic 4.10 was released during the week. Yulia Samoteykina at Atola Technology has a post about one of the key features which allows examiners to setup searches that will be run during the imaging process.
Atola Insight Forensic 4.10 – Search of forensic artifacts in the course of imaging - Rekall 1.7.2 RC1 was released with a couple of bug fixes as well as an OSX compiled binary.
Release 1.7.2 RC1 - X-Ways Forensics 19.5 SR-2 was released, with a few bug fixes and enhancements.
X-Ways Forensics 19.5 SR-2 - X-Ways Forensics 19.6 Preview 1 was released, with improved support for Linux MD RAIDs, GPS data in JPEG pictures, iOS’s netusage.sqlite, PNG files with invalid zlib compression, and large snapshots with many directories in “Path unknown”.
X-Ways Forensics 19.6 Preview 1
And that’s all for Week 49! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 